[Owasp-topten] Happy with RC1 !

David Caissy david.caissy at gmail.com
Wed Apr 12 14:36:19 UTC 2017

Hi everyone,

Like most of you guys, I'm a web app pen tester (ex developer) and I have
been doing VAs and pen testers for years. And like everyone else on this
mailing list, I was eager to see the new Top 10!

Here are my 2 cents:

1) Very happy that A4 and A7 are back together under "A4 - Broken Access
Control". I see tons of these in my assessments, but they really are two
variations of the same thing.

2) Also glad to see the "A10 - Unvalidated Redirects and Forwards" gone to
make room for other more important/common security risks.

3) About the new "A7 - Insufficient Attack Protection", I tend to disagree
with most comments made on this mailing list for several reasons:

a) First, in most cases (but there are exceptions!!), attacking a web app
which is not protected by either a WAF, RASP, AppSensor, etc. is almost a
joke. Sending tons of obvious attacks at a web app should never be
allowed... Even when the application is already very secure, I think this
kind of defense is a must. If you can scan a web site without raising
alarms, you rely heavily on the application and the security maturity of
the development team.

b) Not all WAFs are commercial products, so I don't feel it's a push for

c) We all know that WAFs are only good against some classes of attacks and
personally, I've never seen them as band aids (but I agree that maybe
people do...). I also often bypass them, but that doesn't mean that they
are not important. To me, it's the same as a regular firewall: they protect
against the easy stuff and for that reason, they are important. But they
are only a component in the big picture, not the solution to all security

d) To an extend, I don't think developers should worry much about DDoS
attacks. Other tools are there for that.

e) In almost all my pen tests, I find that there's a huge lack of detection
and response. So maybe there should be more emphasis on logs in A7?

4) "A10 - Underprotected APIs" is obviously covered by the other 9 items,
but it's not a bad idea to raise awareness on them. I still see lots of
developers who think that HTML forms are the only attack surface of a web
application. So like XSS and CSRF are injection attacks, it's not a bad
idea to focus on them for a while. Maybe we should change A10 to SSRF in
2020? Keeping the last one for awareness isn't a bad idea...

Overall, I'm quite please with the new Top 10 as I feel they better reflect
what I've been seeing in my assessments. 2017 is definitively better than
the 2013 version, so good job!! ;)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170412/e4effac8/attachment-0001.html>

More information about the Owasp-topten mailing list